The SonicWall Capture Labs Threat Research team recently observed a new version of Gh0stNet backdoor spreading with the file less technique, which is using PowerShell script for initial execution. This version of Gh0stNet is using new commands for communication.

Infection Cycle:

Upon execution the script spawns powershell.exe to perform malicious activities.

Fig1. Trojan uses owershell.exe to download and register itself as a startup item

Figure 1 shows the script will download a Base64 encoded data from a pastebin.com address.
It then decodes and unzips the data to get the next level PowerShell script. The second stage PowerShell script is shown in the figure below:

Fig2. Base64 Encoded shellcode

After decoding the Base64 encoded shellcode, it calls "Inject-LocalShellcode" function to inject shellcode into the running instance of PowerShell as shown in the figure below:

When the UPX unpacked code executes, it first decodes the Config string using a custom Base64 decoding key as shown below:

Fig5. Decrypting the config URL using a custom key

Visiting the URL shows a seemingly encoded information.

Fig6. Some encoded data shown on the page of the decoded URL

Figure 7 below shows that the malware searches for the marker "x=" in the response received from the URL post request. Once the marker is found, it decodes the string followed by marker to get the second stage Command and control server.

Fig7. Decoded response from the URL

After this the backdoor starts the communication with the command and control server by sending the following request:

Fig8.Scote_connection|hwid = [customid _from_created_cpuid]

It then creates a thread that will listen on the incoming commands from the command and control server.

The following are the commands sent from the remote server:

scote_info_ipconfig

scote_info_systeminfo

scote_drop

scote_upgrade

scote_upgrade_internal

Below are the functionality details for each command:

scote_info_ipconfig:

In response to this command the backdoor will collect the IP configuration information by executing "cmd.exe /C ipconfig" command.
It will then encrypt it with using a Base64 custom key and send it to the C&C server using the format: "command=scote_info_ipconfig|buffer=[Encrypted IP Config]."
The figure below shows that response packet.

Fig9.Sample response to scote_info_ipconfig command

scote_info_systeminfo:

In response to this command the backdoor will collect the system information by excuting "cmd.exe /C systeminfo" command.
It will then encrypt it with using a Base64 custom key and send it to the C&C server using the format: "command=scote_info_systeminfo|buffer=[Encrypted System Info]."

The figure below shows that response packet:

Fig10.Sample response to scote_info_systeminfo command

scote_drop

The backdoor will terminate after receiving this command.

scote_upgrade

After receiving this command the backdoor will inject the code in "svchost.exe" and "explorer.exe" and will terminate itself. Before code injection, the backdoor installs a hook for "ntdll. ZwDelayExecution" to evade analysis and perform code injection through the hooked function as shown below:

Fig11.Code injection through another hooked function

SonicWALL Capture Labs provides protection against this threat with the following signature: